WEBINAR:On-Demand

TJX Companies (Quote) said in a filing with the Securities and Exchange Commission (SEC) this week that as many as 47.5 million customer records were stolen, making it the largest data breach of its kind.

The filing comes about two months after TJX released a report revealing evidence of intrusions of its customer database dating back to 2003.

The previous record for the largest data breach to date was believed to be at CardSystems, which in 2005 reported that hackers had gained access to some 40 million customer records.

TJX officials have said they did not discover the computer intrusion until Dec. 2006. "We do not know who took this action and whether there was one continuing intrusion or multiple, separate intrusions," TJX said in its report.

https://o1.qnsr.com/log/p.gif?;n=203;c=204634421;s=15939;x=7936;f=201702151714490;u=j;z=TIMESTAMP;a=20304455;e=iFor transactions after Sept. 2, 2003, TJX said it masked portions of the data on payment and check card transactions, replacing numbers with asterisks. However, despite encryption and other security measures, TJX said technology could have been used to get at the data. TJX said it has reason to believe the intruder had access to the decryption tool for the encryption software the company used.

The company also said it was continuing to investigate the security breach with the help of outside computer security firms it hired back in December. Law enforcement agencies were also notified including the U.S. Secret Service, which, TJX said, is also investigating the matter. TJX said the investigation will be costly.

The filing makes clear TJX has a long way to go before it will be able to assess the extent of how much personal information was taken. In some cases it may never know.

"The technology used by the intruder has, to date, made it impossible for us to determine the contents of most of the files we believe were stolen in 2006," TJX said in its filing. Other than certain specific areas it's identified, TJX said, "we believe that we may never be able to identify much of the information believed stolen."